Introduction to Security
This fundamental cybersecurity principle ensures that data is not altered without authorization.
What is integrity?
This is the potential for loss, damage, or destruction of an asset due to a threat.
What is risk?
This document outlines rules for acceptable use of company systems.
What is an Acceptable Use Policy (AUP)?
This simple input-validation practice ensures a program accepts only expected, safe data.
What is whitelisting / allow-listing?
This attack tricks a user into giving up information by pretending to be a trusted source.
What is phishing?
This type of threat comes from within the organization, such as a disgruntled employee.
What is an insider threat?
This type of risk remains after all possible safeguards are applied.
What is residual risk?
This NIST publication series provides security controls for federal information systems.
What is NIST 800-53?
This environment is used to test software changes before pushing them into production.
What is a staging (or test) environment?
This attack occurs when a website fails to sanitize input and an attacker injects code into an input field.
What is cross-site scripting (XSS)?
This principle ensures that users only access what they need to perform their job.
What is least privilege?
This law governs the privacy and protection of personal medical information in the United States.
What is HIPAA?
This framework organizes cybersecurity into Identify, Protect, Detect, Respond, and Recover.
What is the NIST Cybersecurity Framework (CSF)?
This secure coding practice separates responsibilities so that no single person has too much authority.
What is separation of duties?
This database attack allows attackers to manipulate backend queries using crafted input text.
What is SQL injection?
This model describes security using three components: people, process, and technology.
What is the security triad (or PPT model)?
This method of reducing risk involves shifting responsibility to a third party, such as buying insurance.
What is risk transference?
This standard governs payment card data security for merchants and processors.
What is PCI-DSS?
This practice integrates security testing throughout the software development lifecycle, not just at the end.
What is DevSecOps?
This attack exploits broken authentication to steal tokens and impersonate users, especially in cloud and API systems.
What is session hijacking?
This formal, structured method identifies organizational assets, vulnerabilities, threats, and controls.
What is a risk management methodology?
Under privacy-by-design, this principle states that personal data should only be collected for specific, explicit reasons.
What is purpose limitation?
This type of policy defines management’s intentions and directives for information security and forms the top of the policy hierarchy.
What is the Information Security Policy (“high-level policy”)?
This rule in secure coding states that software should “fail safely,” without exposing sensitive information.
What is fail-secure design?
This advanced attack tricks a user’s browser into executing unauthorized commands on a trusted site using their credentials.
What is cross-site request forgery (CSRF)?